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i ] 7 k ttcEi istzmk^j x?mm 

TK^fAft i SCS IlCckOTlNX hfcCDAffl* 
*ff5*y h^-^-f >^Xa:— X<h,. r>f^?7K 
yXrASfilWt5f^X?7K3>hD-7t. « 

h &mzmt>nz> i P7 

SttJttfttt. teffi5El PTKV'XilESIfcl P7 Kl/X 

X^TW v-X^Ao 
[ffiWcgt 2 ] fg^JS 1 W6mf< 7,2 7 V^i yXfA 

-^v-x^Atc^x. ««aSB**&oiS*^J:0;i/ 
-^±Tfci£7&I P7H l^X I PT FUXCDffl 

ted: ote^-7^;i/^u >^^ff ^ ^i^fCcfco, mm^— 

[0 0 0 1] 

-^^X^AOfEtt^X^A^UTffll^n^^^X^ 

^7KyXrA©7^tXir+aUr^ l:Kt5. 
[0 0 0 2] 

f>{X^7KyXfAH RAID 
(Redundant Arrays of Inexpensive Disks) chfeot^f 

:"A Case for Redundant Arrays of Inexpensiv 
e. Disks (RAID)", David A. Pat terson, Garsh Gibson, a 
nd Randy H. Katz, Computer Science DivisionDepar tme 
nt of Electrical Engineering and Computer Science 
s, Universityof California Berkeley ACM SIGMOD pp. 
109-116 1988) o 

[0 0 0 3] r ^ X i7 7 1/^ ->Xf AfiSS^f ^ X ^ 
^7l/<$*S1-^fc*lcH *7h»5©U-K/5 
U HI$tcl2^--^£#5rVX^#J&U ij-F 



[0 0 0 4] *7h*6®U-NV7-f — 
WICLU (Logical Unit) £B3H£ft3a&g:x- y hljiffi; 

[0 0 0 5] *Xh^W7H*giitM>? 

*-7>'>XfA(!:0gKTttSCS I (Sm 
allComputer System Interface) ^>:7 t -f /^-^^I/jO* 

Jgf£WtC#RLfc, I P (Internet Protocol) ^/n 

&^tiipB**«aSoT450. IP±I:SCSI©7 
DhnMit^iSCS I (Internet SCSI) h^o 
Mfe&I ETF (Internet Engineering Task Force) 
KiS^Ttfeit^n* 2 0 0 0¥6fl©B#ja7?Internet- 
Draft<hbTdraf t -satran- iscsi -01. txt /^B8£n 

[0 0 0 6] i SCS I £— mt-tZ> I PX hU-~ 
flSKcfcD, I P^7 F7-i7tiX h U-yr/HX^l 

hU— ^/WX^OT^irXttttfRKM^iPiJi-rSo 
[0 0 0 7] 

[5EW**«?*b<t 3 tt^SI] i S C S I f£ffi\z£ 
9. I P*y h«7— ^ICtVx>77 K^t-A^BU* 
»l«Sn, IP*yh7-?±©!r*«^6f^X*7 
l/^^X^A^ffi^tCT^-irXpJ^tC^^^, ^-n/ctt 

[0 0 0 8] 77^Aft*;PTidtSnSAN (Stor 
age Area Network) tm^tl&X h i?1fma>*y b 
■7-^T*X b&&ZfiT4Xi77 K yXfA«$ 

^fc^X FJK^S^T^-feXS^jET^-feXt^fe, 

— ^tiiil^fe^Slr^^iJ-T-w *K»Tt^. LUNt 
^o-U^-ftfliE^O^Ttt* 4$fH¥l 0-333839 

[0 0 0 9] tzZZi)^ iscsignao, SCS 
I <D7u bu)\,fit I P^rtffitcA^iryKtSnTLSp 

XJt©LU*cktf7^tXSO*7 h*«FS*r^^c: 
te, I P/t^r^y hcO^fC^^TC P/t^r^y hO^^tC^ 3 
fC&£ i SCS KD/Vry h *«f«fr^^B*<* 0 > i 
SCSI KUcoTT^X^TU-f ->X^A£ IP^7h 
T 7-?lzmm.Lfzm&. «*tB»OLUNt*aUf 

[0 0 10] I P*;/ h9-^7TH h7 
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[0 0 11.] *^©BWlt iSCSir#TIP* 
? F7-^{:M$n^X^7K fc45V>T. IP 
7 Fi/X£^Tt£^<7)LUN1r^U-7V tm^CD-t 
U 5V ^^r*S^^> z: £ K&£ 0 

[0 0 12] ^H^cD^^t-t)^ locoBMfri, 

[0 0 13] 

[^s^«^t:^>fc*^^a] HuiBaw^ii^'r^^ 

ic, 7W ±lcKSbfc«&<05^x^gB 

hu-i/izmm^m scs i^nhaM^^^ 

-^>^X;i:-XJC*i&CD I P7 KlxX^^T^)^ 
g<h, I P7 Fl/X<hx^X^7l^rt^OLU£^ 

o^^jH5t;^teiM^cD I P7 Kl/X(7)SL^J:D^c7)tei|| 
rt^F JE&iE iHT & £ rt> £ *PJ Br b 7 4 )l> ? U > ^ T £ 

[0014] ^yc. se^y iz-r^^x^s/x^A^© 

{Z, X?TU^tf&f$'?Z>m$L(D I P7 Fl/XchL 

u^^^^w^^e>yix^*^5 r ^x^y u-f tea 

&£7^£*fj£tttt, -^n^r I P7FUXl/^Tfi 
U y^-feXpf&gT&^/KX b£ LUO I P7 FI^XCD 
a^* 7 h 7-^;h^^>t ^ 7 ^ 7 K ClSt^l 

[00 15] ^ntC^O^^X^Tlz-f lE^&fciH 
CD I P7 \ i UX<Dl&$:%lZ>ZLhtf-C^;Z><DT\ ftmzm 

mz^tttfcm.*7j)v?>)>y^z>^wc\z&K). ^ie 

I P7 Kl^X^J^ttttT^OT, ^nfiTOLU 

[0 0 16] h7-^;i/- lE^&HSit 

©I P7 Kl/XCDffi^ffl^^<t^T#^>c7)T. 

& I P(7>a^J:^te2l^^*-r^C < h^T#^>o LU£r 
I P7 Kl/X<hmWtT^£OT\ ^ntet£*<Z)LU 

K-r^X^y l/<^S5tf>*u/ h9-^-*±T^FIE& 
fci££i&Srr £ C <h ^T*£ £ £ ^ ? £ o 

[0 0 1 7] 

[0 0 18] £-T\ *:%^(7)*j5g^a)*^^a 1 



[0 0 19] aitCfc^T. *XhA100, *XhB 
110, *XhC120, *XhD13 0H r^X^ 
YU-f 2 0 0(C*fLTU-H/^-f M§3fc£ttlU 5*— 
^OAffi^^5*XhT*5 e 2 0 0 te^fgBJ^^t 
£5^X^71/^. 3 0 0^7h7-^^ICgt 
t^8lT$^Jl/-^, 4 0 0te*y h^-^efctf^ 

5 0 0^7 h7-^7B5 1 0\$^rtl^nm±Llsrz*y 

bv-w$>K)^ o o\z^ottmzmmztiT 

*X bA 1 0 O&JzZS-fcX hBl 10H h 
7-^7A5 0 0±tC#fiELT^£#>\ W3 0 0^ 
t^^tCJ:0, *y K^-^B 5 1 0±(C#aE-T^>x 
^X^Tl/^ 2 0 O^y^irXpftg^^oTl/^o *y 
h7-*A5 0 0 t*7h7.-^B5 10(t 7Dhn 

[0 0 2 0] ^2lC*^HJ(Cfe^^-7'^X^Tl/-r<7>rt 
^UyZm^^-t* T>fX^7K 2 0 "0ttu IP* 

^ h^-^tcsgttsni scs i^ph^Mgm 

7h7-^O?7i-X210^ MIP7HI/X 
S)$*ft2 12^ IP7Fl/7-LUN»JKft»¥S 
2 14t, IP7-fMU>^ft2 16^ t^X? 
7K^>hD-72 2 0^, 5^X^3£BS¥2 3 0 <h 
*i^.T^§. f-fX^7K^>hD-72 2 0H 
*X htOT 5 — ^Affl*toft!lW, r^X^7KftO 
^-^^SiJ/^E^o^Jp, a^x^MP^^-^cD 

0, ^X^7l/<£©J^^:/D^A^;^*^U 
2 2 2<h, yn^7A^ffLf^ X^7U-T^#:<OSiJ 
i^fT5>MPU2 2 4(h, *Xh«hr^X^gfgp B 1© 
-r-^teiH*— WfA^/ 77'J >^T£^< X^4^ y ~> 
a2 2 6 t£MTW. T^rX^8iS2 3 0H 7 

[0 0 2 1] **j*»«£43V>Ttt. 
N«fYX^ORA I D{CctO«^$nfcifeSrL- 
7hLU0 - 2 3 2, LU1 -2 3 4, LU2-23 
6, LU3 - 2 3 8^f^t)(D(hn e 

[0 0 2 2] *&\Z. IP7HU 
XffiSffg2 12 4 IP7Fl/X~LUNMWtfg 
2 14, IP7^MU 2 1 6 I^^TRMt 

I P7 K'l/X©*6MbSTT^fc. utlli, 
ttft I P7KUXI:MnLT^^7 h7-*«S# 
— H7-?<>^7x-XI:SSO I P 

7 k i/x^j o %TTmm-?z> z in&WLfr-i tztztb-e 

3bZ> 0 LA*L&At6. -O0*7h7-?^f>^7i- 

IPv6 Rt^ £ <hlcJ: 0 , COWBttflHSSn 

»cOf>fX^7H 2 0 0H ^tl P7HU 
XS)#fg2 1 2 £f£^;i<htCJ;0, *yh7^<> 
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^7x-X2 1 0l:»»©I P7 KUX^#J0^T^d 
tSrnrtgtl/T^S, IP7Hl/X-LUN^Mtt¥ 
82 14ft h^-^HWJ^T** IP7PI/X 

>fX^a9J?T*§LUN (LU Numbe r) <£>*t 

#1 P7FW-LUN»Ktttt¥ft2 1 4JCiSftiatl 
dO»JK(t»tt, 04(Dcfc5ft:I P7HI/X-LU 

[0 0 2 3] I P7Kl/7iLUN©#«#»OH?« 
04 CO I P7Fl/X-LUN7 7 tf>^f-7Jl/5 0 0 
fcSto ::T> IP7FI/X«*M^«^7h9- 

IP7Kl/X**n©tf§„ IP7HI/X-LUN 
Tye>yf-^5 0 0TH I PT FI/X5 1 0 £ 

fflTftt, IP7H 0 0 0 0" t L US-^" L U 

o" sn; raestd" 0001" t" lui" 

" 0 0 0 2" fc" LU2" ^ " 0 0 0 2" <h" L 
U3" 3j«»j6ftW-6nT^a. ClCTLU2<hLU3« 
KDI P7KI/X" 0 0 0 2" l:»lg#tt5nT^5 

y h9-^«lCttHi;*frT7*txan4LU©|ftT 
Hi;iP7Kl/XS9J0IoTl^^6T» 
£o Ctltt«A«, LU2#RA I D lXlt^^nigjl 
!&T{7±7>ifiaI&t1ZL^T&Q* LU3^RAID5T 
MSnt^T, LU2, LU3tt>tHi;*X^6 
y £7 -fe x £ n<5 ^JSSjSS: 7 * -fe X a*#B&W»4-L U 2 

a*, a^m l u 3 36*«e« s £ ^ ^ j: o 

«fcOLUSKgaLT7^-fe^-r-5J:5a:«^K:#a!i"C« 
[0 0 2 4] 02l:loT, I?7^MU>^¥ft2 

? v >?mm(Dift<D-mm. i pa^ 7 h^rn^ea^t 

I P7Kl/7(h62y i cI P7Fl/X0l^b^Wi 

««rLT*<&l^*^<fc-r**. I P7H1/XCJ:*7 
-<^U>5 r «iE*SIS-rs. I P7HI/X0S 

te, yXrAfI#^fia*4 0 0<D I P7 Kl/Xt 
^a'Jf^l»4 1 6^LT I P7^MU>^ 

1 6£sjrr*. 

[0 0 2 5] 0 3tC, *f£wic43tta«aaB*4 0 OCO 

^□^^@^r^-r o »i»*4 0 0lt rtSU£««V:7 

*^«6»li«C4>liTf4«a V7 h 410^ 
(CSE*^'3Tt^7 r ^X^ZU-<@a^4 1 2tCjjDA 



T> I P7HI/X-LUN77 fcf>^t£tg4 1 4. IP 
7KI/Xt^Ur^i^fg4 1 6£«t*£o 5r^X 

?Tu-(<gmmm4 1 2^. f^x^7K 2 0 o^m 

«U L UM^> L Um^$«F^4^Tf X ^ 7 
l/^f 2 0 0 St ItS7D^7ATS5, IP7HI/X 
-LUN^t;>^«tEM:, B4tSfIP7Hl/X- 
LUN77tf>^f-^5 0 0S^, MWk<DIP7 
H1/X5 1 0£LU#^5 2 0<Dttfomt&?fOo IP 
7FI/X-LUN77 tr>^t$tE4 1 4^fTofcI P7 
HlxXfcLU##0»*#WS % f^X^7H200 
I P7HUX-LU N»MW?g:i:fi^ ^ <t 
fc<fctK ?^?7K2 0 0T^i;jfMW^fe 
tl^o IP7Hl/Xt*aUf^»j|»IE4 16H B 

£ L U<Bffl£;!/— * 3 0 0 *5 X^7K200 
ftgfl<D I P7^;^U>^fg2 1 6iC»^"T^Ci(c 

[0 0 2 6] S5^T7^1rXBltgLU^T-'-> r ;i/ 
6 0 0H *Xh610, fcO*Xh©I P7Fl/X$ 
^"T*X MP7FI/X6 2 0, ^<D*X h^T^irX 
?&Z.£&^mfcLU&mTT# J £XvSmL\J6 3 0, 
-€-<OLUt»JS-rsI P7Fl/X^tLU»«I P7 
K WX 6 4 0 ©«B S«fOt-^T?»-5. 0 5©«T 
sfcXhAtel P7FI/X M 0 1 0 0" £J3T6, IP 
7FI/X" 0 0 0 0" IZttfomiZtltzLlJOlZTZIi 

7FI/X" 0 110" £J#^, I P7FI/X" 000 
2" \ZttfcmiZnrcLU 3\ZT2-£X*1 

Z.t.\Z?3iZ> 0 

[0027] mz, *mmmmiz&rt2>mmz-D^Tm 

WTZ>o £-rm&\Z, yXfAflf^, $>Z>*Xh\Z 
\ti£(D< &lr)<Z>7 f >fX^#B4fj&Bft*. ^XF^f, 
f©< 5^©7^tX^i«Stl-5^*OyXfAR||- 

£tck, flfa»*4 o o©^^^TW*a«ig4 i 

2£JSfr>T. RAIDM, ^i^^LT, r^X 
?7K 2 0 0fttLUSffdttS. ££TSE5fe<hg£: 
*<9tt. ^X^A«a#»4LU*f^ric-r*IKfc:-t-<OLU 

t&SI P7Hl/XSJ|j|t5uiT**. Jf^Stlfc 
I P7FI/Xttl P7FI/X-LUN77 tf>^ttM£4 
1 4fci0-LUt»«:#Jt6n, IP7FI/X-LUN 

»*fnt*»2 i 4»c*o»«wt3^ii»sn*. s 

^IP7Fl/X#ia$n^>o *XFIif(OLUS7^ 
-feXTfclRfctt. ttJEtftW-snfcl PTKUX^eiH^ 
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[0028] ^mmj&mx^ Luo-232, lui 

-2 3 4, LU2-2 3 6, LU3-2 3 8<D4^(Z)L 
U£ffr$U fft?ncIP7HI/X M 0 0 0 0", " 

0 0 0 1\ " 0 0 0 2\ " 0 0 0 2" 
ilfctr*. 04© I P7F1/X-L 
UNY7t:>^f-^5 0 0l:i$n§ o LU2tL 

I D 1 <hR A I D 5 TtftJSfcSnsJML 

I^U I P7Hl/XllMMWTi/^o 
[0 0 2 9] IP7h + l/X-LUNT-yt:>^r-7> 
5'OOIt I P7 HI/X-LUNT7 fcT>^ttME4 1 4 
I P7Hl/X-LUNM#tt?g2 1 4*«rt» 

[0 0 3 0] *HJ6Jgffi-Ctt, ^XhAlOORUO 
- 2 3 2*. *X hB 1 1 0*LU2 - 2 3 6 £ L U 3 
-2 3 8 ££, *XhC120^LUl-2 3 4i:LU 
2- 2 3 6 £LU 3 - 2 3 8 i£\ *XhD13 0^L 
Ul-2 3 4&T2±7,-rZ>h(DZiTZ>o ZLZfrZ. I 
•P7Hl/Xt*aUr^R3l*«E4 1 6-H T^irXnJ 

iBLuatjsy— :/*6 o os^n, £<z>*xha*£ 

**A**r*. S5(C^$n^>ct3^, JKXhA100(D 

1 P7Kl/Xr 0 10 0" ^fcO, *XhB110 
tt" 0 110", *X FC120 te" 0120" , *X 

h D 1 3 0 te" 0130" ©IP7HI/X £i#Oo >-X 
T&mm^te. f^fX^7K 2 0 0^7^-irX-r&* 

PJtELUMr-^6 0 0H &fT<Ojffl.OT^irX^ 
WnrStlT^SClii^UTl^. I P7 Hl/Xir^j. 
U7--fWe*iB4 1 6H Z^-feXRTtBLUJ**^-^ 

;i/6 0 0^7Efc, ;^3 0 0 tiP7^HU>y? 

g2 16C*fLT, I P7F l/X" 0 10 0" <h" 00 

0 0" ^ODfegl (tKX hA100tLU0-2 3 2. 
PI) , "0110" t" 0 0 0 2" fflOXESI (*X h B 

1 1 0tLU2-2 3 6*5J:tfLU"3 -2.3 8 M) , " 
0 12 0" £" 0 0 0 1" ffl<D&m. (*X>C 1 2 0 d: 
LUI - 2 3 4M) /' 0 120" t" 0 0 0 2" 
feiS (*X hC120<hLU2-23 6*5£tfLU3- 

2 3 8 ffl) , " 0 13 0" <h" 0 0 0 1" fflOfem. (* 
X l>D 1 3 0 iLU 1 - 2 3 .4H) £fF*Tr O Kit 
St^o ft*5, *X h C 1 2 0, *:X hD 1 30, f^i 

2 0 Otttt)l:*Th7-*B5 1 0±tc;fe 

^cDT, -e<t>.racotesitt;i/-^ 300 £^rr^ci£te&: 

^(Oitisb. I P7 Kl/X" 0 12 0" <h" 000 
1 " WI<D1&1&* " 0 12 0" t" 0 0 0 2" RflcDfc 
iH, " 0 1 3 0" 0 0 0 1" F^fc^fC^-m, 
;U-^3 0 0KWiTr*£'5tcmj£L&< £*>&^o 
[0 0 3 1] I P/t^ru/ hOfpoeitTCI PTKU-Xt 

P7 Kux^ia^ gmsnTt^&^iE&te 



WKHSHT, JI/-^ 3 0 0 t»4«9JK:»bti«IEtt!&R 

[0 0 3 2] iEH^fdckO, *XhA100RU0 
- 2 3 2£T^-trXT£[£lCte, teitTtl P7 Kl/X" 
0 10 0" , eglflc I P7F l/X" 0 0 0 0" CD I PA 
iry h£<£ffl-T£o I P7HI/X" 0 10 0" t" 00 

o o" m©tesitt;u-^3 o 0Tttffwrs<t-5Jcs^ 

7K2 0 0ft<7> I P^^;U^U >^fg2 1 6T*>IE 

[0 0 3 3] ddTfcb, *XhB110RU0-2 
3 2{CTi7irX"T^fc«)Jce2l7Cl P7HI/X" 011 

0 " , teiH^fe I P 7 K l/X" 0 0 0 0" <D I P /1^r y h 

&&mLfriz-rz>t. i P7Hi/x M oiio" r o 
ooo" m<D^mt)u— ? 3 o oxmfiFnr^nTv^^ 

[0 0 3 4] *X FBI 1 O^L.UO- 2 3 2 \Z.T2*\l 
X-TSfcfelCteSlTC I P7K1/X" 0 110", 

1 P7 Hl/X" 0 0 0 2" <D I P/^y bSfiSJH 
T<5£, ;i/-^-3 0 OttI P/^y hft»©LU*B» 

IP7HI/XL^HHl/^iS:6fc, £*>*IE 
tzn'Ty h£rilbTL£5^\ T^X^7W 2 0 0ft 
(DIP7F1/X-LU N-atJStttt^R 2140IP7F 
1/X-LUN77 \£>{f*r— y;i/5 0 0 tCl*5^T I P7 
Fl^X" 0 0 0 2" i:.LU0*^JS#frt&nTl^^il 
£**PJ*<B7T. f^Xi77K2OOrtfflTC0teilS 

[0 0 3 5] J£Ui<7)flf/&, Wif^^<k0 2|5:^JfiJg8itC<tn 
«, i SCS I8«TI P*7h7->l:»*$n*T 
4Xi7Tl"(\Z&\,*T. IP/^7hrtOfeg7cIP7 

K>X£lE2l3fcI P7Fl/X0a(lckD, fiE*<Z)LUN 

[00 36] hv-#&*gimzmm-rz>)i>- 

?.\Z&\,*T. mm<D I PTFUXOffiJCctO, fi£*CDL 

*7Ko»antsi[anj:t3j«Tt5, 

[0 0 3 7] $6iC, LU^C I P7 Kl^X*a«ft 
*Xh?!i^W^f^X^7K 

X^7K*W©tBi;a«S10fi!)T-f7?7K 

d:^0f>rX^7K^fl3X hZTtf 

[0 0 3 8] *«fO*S^LUS»m>^7 
x-X^SUgSM£ffT£KUC, P7FI/ 
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[0 0 3 9] ftii. &$mM7?\-£. flS*4 0 0^6 
f^fXi'7K 2 0 0*5J;^;U— ^ 3 0 0 ^CDtfgfjHg 

#*. 0 6 tC7F"3~<£: o\Z%*y hU — t? B 5 1 0 T?kfc£t< „ 
ff3S@* 40 0ir^^^71/-f2 0 0 7 

o o tJcttpgJisg* 4 o o 300 %m&mmm 
7 1 o 5«i itt if «©6i^ff otfesn. mm 
i7oot7io tefc U t )vmmmi3.£-?mM 

[0 0 4 0] #*Jfi«T»4, LU1-2 34IW 

7h7-?B5 1 0_h«*X h^6b^Ti7-feX$tl^C 
C©|#ttLUl - 2 3 4{C*fJ^TS IP7HI/ 
X" 0 0 0 1" h "7 — ^7 B 5 1 0 JiTCD^^ft 

D— *;|/T K^XtC-rn«, LU1 - 2 3 4K|I|-r-5-r 
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(54) DISK ARRAY SYSTEM 
(57)Abstract 

PROBLEM TO BE SOLVED: To provide a security function equal to 
a conventional LUN security in a disk array connected to a network 
by iSCSI technology. 

SOLUTION: This system is provided with a means for holding a 
plurality of IP addresses inside the disk array, a means for making 
the IP address correspond to an LU, and a means for filtering 
transfer by watching the IP address to be used for transfer. Then 
the IP address is made correspond to the LU and the permission/no 
permission of transfer is set for every set IP addresses by a 
managing terminal, transfer, thus the filtering based on the IP 
address corresponding to the LU is realized on the disk array and a 
router. 
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* NOTICES * 

Japan Patent Office is not responsible for any 
damages caused by the use of this translation. 

1This document has been translated by computer. So the translation may not reflect the original 
precisely. 

2.**** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



CLAIMS 



[Claim(s)] 

[Claim 1] It is the disk array system which has two or more disk units arranged in the shape of 
an array. This disk array system The network interface which performs I/O with a host by iSCSl, 
The disk array controller which controls a disk array system, A means to hold two or more IP 
addresses, and the means which matches an IP address and Logical unit, It has a means to filter 
this transfer by the IP address used for a transfer. The disk array system characterized by for 
the directions from an administration terminal performing Logical unit and an IP address, and 
performing transfer filtering by the group of matching, a source IP address, and a destination IP 
address. 

[Claim 2] The network system characterized by performing transfer filtering corresponding to 
Logical unit with the directions from this administration terminal in the network system equipped 
with the disk array system according to claim 1 , the administration terminal which manages a 
disk array system, and the router which connects a network mutually by performing transfer 
filtering by the group of a source IP address and a destination IP address on a router. 



[Translation done.] 
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* NOTICES * 

Japan Patent Office is not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original 
precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] This invention relates to the access security of a disk array system 
especially mainly with respect to the control system for the disk array system used as a storage 
system of a computer system. 
[0002] 

[Description of the Prior Art] It is the storage which raised dependability by adding redundancy 
data to data while a disk array system is also called RAID (Redundant Arrays of Inexpensive 
Disks), takes the configuration which has arranged two or more disk units in the shape of an 
array and processes the lead demand (read-out demand of data) from a host, and a light demand 
(write request of data) at a high speed by juxtaposition actuation of a disk. A disk array system 
By the class and configuration of redundancy data It is classified into five level (paper:). [ "A ] 
Case for Redundant Arrays of Inexpensive Disks(RAID)", David APatterson and Garsh Gibson 
and and Randy H.Katz, Computer Science DivisionDepartment of Electrical Engineering and 
Computer Sciences and Universityof CaliforniaBerkeley ACM SIGMOD pp.1 09-1 16 1988. 
[0003] The disk array system is equipped with the disk group which consists of two or more 
disks. In order to realize the above disk arrays, it is necessary to change the read/write demand 
from a host into a read/write demand on each disk, to distribute data to each disk at the time of 
a light, and to perform data distribution / set control which gathers data from each disk at the 
time of a lead. Suppose that such control is called disk array control. 

[0004] The read/write demand from a host is performed in the Logical unit unit generally called 
LU (Logical Unit). 

[0005] The dedicated interface has been used in connection with a mainframe, and, as for the 
interface which connects a disk array with a host, SCSI (SmallComputer System Interface) and a 
fiber channel have been used by connection with an open system. However, the demand of 
wanting to connect storage is increasing in the network which spread explosively by the Internet 
in recent years using IP (Internet Protocol) as a protocol, the specification of iSCSI (Internet 
SCSI) which carries a SCSI protocol on IP is examined in IETF (Internet Engineering Task Force), 
and it will be draft~satran-iscsi-01.txt as Internet-Draft as of June, 2000. It is opened to the 
public. 

[0006] With IP storage technique which makes iSCSI an example, if the direct continuation of a 
storage device becomes possible in IP network, the access nature to the storage device 
containing a disk array system will improve by leaps and bounds. 
[0007] 

[Problem(s) to be Solved by the Invention] By the iSCSI technique, direct continuation of the 
disk array system is carried out to IP network, and when the calculating machine on IP network 
to a disk array system becomes accessible simply, the opportunity of unlawful access will also 
increase so much, and the security function which prevents unlawful access becomes important 
[0008] When the host and the disk array system were connected in the network only for storage 
which consists of fiber channels and is called SAN (Storage Area Network), the security in data 
transfer was raised using the LUN security function in which consider that access from other 
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than the host who set up beforehand to a certain LU is unlawful access, and it is not received. 
About the LUN security function, it is indicated in JP.1 0-333839 A 

[0009] When a SCSI protocol is encapsulated inside IP, it becomes impossible however, to 
specify LU simply with an iSCSI technique only by seeing the packet of IP which flows a network 
top. In order to specify LU of an access place, and the host of an accessing agency, when it is 
necessary to analyze the packet of iSCSI of the TCP packet in an IP packet which is in inside 
further and a disk array system is connected to IP network by iSCSI, the technical problem that 
it becomes difficult to realize the same LUN security function as usual occurs. 
[0010] Moreover, in IP network, various security functions are mounted in the router which 
interconnects each network. However, if those functions remain as they are, they cannot be 
used for the security of a disk array system, on the assumption that IP. 
[0011] The purpose of this invention is to realize a security function equivalent to the 
conventional LUN security in the disk array connected to IP network using an IP address with an 
iSCSI technique. 

[0012] Another purpose is in the thing of this invention for which a router realizes security 
equivalent to LUN security further, without adding a hand to the conventional router. 
[0013] 

[Means for Solving the Problem] In the array mold disc system which has two or more disk units 
which have arranged this invention on an array in order to attain said purpose The network 
interface which is connected to IP network and understands an iSCSI protocol, For the disk 
array controller which performs disk array control, in addition, a means to hold two or more IP 
addresses to one network interface, A means to match and manage LU inside an IP address and 
a disk array, and a means to judge whether the transfer is an unjust transfer by the group of the 
IP address of the source and the destination, and to filter based on a setup given beforehand are 
established. 

[0014] Moreover, the function which carries out matching mapping of two or more IP addresses 
and LUs which the disk array other than a disk array function manager holds to the 
administration terminal which had managed the array mold disc system conventionally, and 
notifies a result to a disk array, and the function for which host to match whether it is accessible 
at which LU, to manage it on IP address level, and to set up the group of the IP address of LU 
with an accessible host at a network router or a disk array are prepared. 

[0015] Thereby, since a disk array can know the group of the IP address of a just transfer, it can 
cancel the transfer by the group of inaccurate IP with a means to filter the unjust transfer 
prepared in the interior. Since LU is matched with the IP address, this is a security function 
equivalent to the conventional LUN security. 

[0016] Similarly, since a network router can know the group of the IP address of a just transfer, 
it can cancel the transfer by the group of inaccurate IP by the function of packet filtering which 
it has from the former. Since LU is matched with the IP address, this is a security function 
equivalent to the conventional LUN security. It is effective in the ability to cancel the still more 
unjust transfer on the network router of the disk array exterior. 
[0017] 

[Embodiment of the Invention] Hereafter, the gestalt of operation of this invention is explained to 
a detail. 

[0018] First, the configuration of the operation gestalt of this invention is explained using drawing 
1 - 

[0019] In drawing 1 , a host A100, a host B110, a host C120, and a host D130 are hosts who 
advance a read/write demand to a disk array 200, and output and input data. A disk array [ in / 
in 200 / this invention ], the router whose 300 is equipment which connects a network mutually, 
and 400 are the administration terminals of a network and a disk array 200. A network A500 and 
a network B510 are networks which became independent, respectively, and are mutually 
connected by the router 300. Although the host A100 and the host B1 10 exist on a network 
A500, they are accessible by minding a router 300 to the disk array 200 which exists on a 
network B510. A network A500 and a network B510 are networks which use IP as a protocol. 
[0020] The internal-block Fig. of the disk array in this invention is shown in drawing 2 . The disk 
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array 200 is equipped with the network interface 210 which is connected to IP network and 
understands an iSCSI protocol, two or more IP address maintenance means 212, the IP address- 
LUN matching means 214, IP filtering means 216, the disk array controller 220, and the disk unit 
group 230. The disk array controller 220 is a part which performs disk array control including 
control of data I/O with a host, control of data division / integration peculiar to a disk array, and 
control of I/O of data with a disk unit group, and is equipped with the program ****** memory 
222 which controls a disk array, MPU224 which performs a program and controls the whole disk 
array, and the disk cache 226 which buffers data transfer disk unit between groups with a host 
temporarily. The disk unit group 230 is constituted by two or more disk units allotted on the 
array. 

[0021] In this operation gestalt, it shall have Logical unit LU 0-232, LU 1-234, LU 2-236, and LU 
3-238 which were constituted by RAID of a simple substance disk or two or more disks. 
[0022] Next, two or more IP address maintenance means 212 which is the description of this 
invention, the IP address-LUN matching means 214, and IP filtering means 216 are explained. 
Only one IP address was usually conventionally assigned to one network interface. This is 
because there were many network devices which do not support two or more IP addresses and 
it was difficult to assign and apply two or more IP addresses to one network interface. However, 
this problem is solved when IPv6 on condition of assigning two or more IP addresses to one 
network interface spreads. The disk array 200 of this invention makes it possible to assign two 
or more IP addresses to a network interface 210 by having two or more IP address maintenance 
means 212. The IP address-LUN matching means 214 matches the IP address which is a 
network identification child, and LUN (LU Number) which is the logical unit of disk accessing and 
is a substantial disk identifier. With this operation gestalt, a system administrator performs the 
matching of a what No. IP address is made to correspond to which LUN itself, and the result of 
matching is notified to the IP address-LUN matching means 214 through an administration 
terminal 400. This matching is managed with an IP address-LUN mapping table 500 like drawing 
4 . 

[0023] An example of matching of an IP address and LUN is shown in the IP address-LUN 
mapping table 500 of drawing 4 . Here, although it is a long digit string with the semantics as a 
network address properly speaking [ an IP address ], in this operation gestalt, an IP address shall 
be expressed as a digit string of 4 figures for explanation. In the IP address-LUN mapping table 
500, IP address 510 and the LU number 520 are matched, the example expressed here — an IP 
address — "0000" and LU number — "LU0" is matched and "0002" and "LU3" are similarly 
matched [ "0001" and "LU1 " ] for "0002" and "LU2." Although LU2 and LU3 are matched with 
the same IP address"0002" here, and this is another LU as Logical unit it is because it is the 
group of LU accessed on the conditions same in network, so the same IP address is assigned. 
Although LU2 consists of RAID1, high-speed access of it is attained, LU3 consists of RAID5 and 
this is accessed by the host with LU2 and LU3, when high-speed access is required, when LU is 
distinguished by the use application and LU2 accesses as LU3 is usually used, it is effective. 
[ same ] 

[0024] The filtering function by the IP address which returns to drawing 2 Judges that IP 
filtering means 216 is a transfer unjust when it was the group to which one function in the 
packet-filtering function mounted in the usual router and an IP packet are investigated, and the 
group of a source IP address and a destination IP address is set beforehand and is the group 
which is not set up by making the transfer just, and repeals the transfer is realized. A system 
administrator sets the group of a just IP address as IP filtering means 216 through the IP 
address security setting up function 416 of an administration terminal 400. 

[0025] The block diagram of the administration terminal 400 in this invention is shown in drawing 
3 . Although the administration terminal 400 has the managed software 410 in the interior and 
realizes various managements by this, in addition to the disk array function manager 412 which it 
has conventionally in the managed software 410 in this operation gestalt, it is equipped with the 
IP address-LUN mapping function 414 and the IP address security setting up function 416. The 
disk array function manager 412 is a program which communicates with a disk array 200, gives 
support of LU creation, LU disconnection, etc., and manages a disk array 200. An IP address- 
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LUN mapping function has the IP address-LUN mapping table 500 shown in drawing 4 , and 
performs matching of actual IP address 510 and the LU number 520. Matching same as a disk 
array 200 is performed by telling matching of the IP address which the IP address-LUN mapping 
function 414 performed, and LU number to the IP address-LUN matching means of the disk 
array 200 interior. The IP address security setting up function 416 realizes the filtering function 
by the group of an IP address by having the table 600 corresponding to accessible LU as shown 
in drawing 5 , and setting the group of LU as a router 300 and IP filtering means 216 of the disk 
array 200 interior with the accessible host obtained from this table. 

[0026] The table 600 corresponding to accessible LU shown in drawing 5 is a table with the item 
of IP address 640 corresponding to a host 610, host IP address 620 showing the host's IP 
address, accessible LU630 showing LU which can be accessed by the host, and LU showing the 
IP address corresponding to the LU. In the example of drawing 5 , Host A has IP address"0100" 
and shows the accessible thing to LU0 matched with IP address"0000." Host B is accessible to 
LU2 and LU3 which had IP address"01 10" and were matched with IP address"0002" similarly. 
Thus, when a host is accessible to two or more LUs, the host will occupy two or more lines of a 
table. 

[0027] Next, the actuation in this operation gestalt is explained. First, a system administrator 
uses the disk array function manager 412 of an administration terminal 400 at a certain host 
based on what access is predicted for what disk capacity from the need and which host, and a 
system design, specifies a RAID configuration, capacity, etc., and LU is created in a disk array 
200. It differs from the former that a system administrator specifies the IP address which 
becomes an identifier at the time of accessing the LU from matching and a network in case LU 
is created here. The specified IP address is matched with LU by the IP address-LUN mapping 
function 414, and the matching is notified to the IP address-LUN matching means 214. Moreover, 
the matched IP address is notified to the host who accesses the LU. In case a host accesses 
the LU, he accesses the matched IP address by specifying it as the destination. 
[0028] With this operation gestalt, four LUs, LU 0-232, LU 1-234, LU 2-236, and LU 3-238, are 
created, and suppose that IP address"0000", "0001", "0002", and "0002" are matched with 
each. This matching is expressed by the IP address-LUN mapping table 500 of drawing 4 . 
Although LU2 and LU3 are another LUs which consist of RAID1 and RAID 5, since they are a 
group to which access equivalent in network is carried out, they are matched with the same IP 
address. 

[0029] The IP address-LUN mapping function 414 and the IP address-LUN matching means 214 
hold the IP address-LUN mapping table 500 inside. 

[0030] With this operation gestalt, a host C120 shall access LU 1-234, LU 2-236, and LU 3-238, 
and a host D130 shall access [ a host A100 / LU 0-232 / a host B1 10 ] LU 1-234 to LU 2-236 
and LU 3-238. From here, the IP address security setting up function 416 creates the table 600 
corresponding to accessible LU. A system administrator inputs the information which host 
accesses which LU. As shown in drawing 5 , a hosts A100 IP address is "0100", "0110" and a 
host C120 have "0120" and, as for a host D130, a host B1 10 has the IP address of "0130." The 
system administrator knows beforehand a host's IP address accessed to a disk array 200. The 
table 600 corresponding to accessible LU means that access of the group of each line is 
permitted. The IP address security setting up function 416 Based on the table 600 corresponding 
to accessible LU, a router 300 and IP filtering means 216 are received. The transfer between IP 
address "0100" and "0000" (between hosts LU [ A100 and ] 0-232), The transfer between 
"0110" and "0002" (between hosts LU [ B110 and ] 2-236 and LU 3-238), The transfer between 
"0120" and "0001" (between hosts LU [ G120 and ] 1-234), It is specified that it permits 
"0120", and a transfer (between hosts LU [ C120 and ] 2-236 and LU 3-238) of a between and 
the transfer between "0002" "0130" and "0001" (between hosts LU [ D130 and ] 1-234). In 
addition, since both a host CI 20, a host D130, and the disk array 200 are on a network B510, a 
transfer in the meantime does not mind a router 300. Therefore, it is not necessary to specify 
that it grants a permission to a router 300 about the transfer between IP address "0120" and 
"0001", and "0120", and a transfer of a between and the transfer between "0002" "0130" and 
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[0031] Since the function which investigates the source IP address and destination IP address in 
an IP packet and filters the unjust transfer which is not permitted is one function of packet 
filtering with which the conventional router is equipped, in this invention, a new function is 
unnecessary and extraordinarily [ a router 300 ] usable in the conventional router. 
[0032] By the above-mentioned setup, in case a host A100 accesses LU 0-232, the IP packet of 
source IP addressed 00 "destination IP address" 0000" is used. Since it is set up so that the 
transfer between IP address "0100" and "0000" may grant a permission in a router 300, it is 
regarded as a just transfer, and similarly, it is judged with it being just also with IP filtering means 
216 in a disk array 200, and the usual access processing is performed. 

[0033] In order that it may carry out also here and a host B1 10 may access LU 0-232, supposing 
it uses the IP packet of source IP address"01 10 "destination IP address" 0000", since a 
permission is not granted in a router 300, it will be regarded as an unjust transfer and the 
transfer between IP address "0110" and "0000" will be canceled. 

[0034] In order that a host B1 10 may access LU 0-232, supposing it uses the IP packet of 
source IP address"0110 "destination IP address" 0002" Although a router 300 will let this 
inaccurate packet pass since it cannot recognize LU inside an IP packet but recognizes only an 
IP address Since it turns out that IP address"0002" and LU0 are not matched in the IP address- 
LUN mapping table 500 of the IP address-LUN matching means 214 in a disk array 200 In the 
disk array 200 interior, it can consider that this transfer is an unjust transfer, and it can be 
canceled. 

[0035] In the disk array which is connected to IP network by the above configuration and 
actuation with an iSCSI technique according to this operation gestalt, a security function 
equivalent to the conventional LUN security is realizable with the group of the source IP address 
in an IP packet, and a destination IP address. 

[0036] Moreover, in the router which connects a network mutually, a security function equivalent 
to the conventional LUN security is [ the exterior of a disk array ] realizable with the group of 
the same IP address. 

[0037] Furthermore, from a host, since the same environment as I hear that it is visible to that 
there are two or more disk arrays and equivalence, it is and there are many disk arrays can be 
built by one disk array, it is effective in the unitary management of being attained and lowering 
the management cost of a disk array more cheaply, to match an IP address for every LU. 
[0038] Furthermore, it is possible to shift the whole IP address which matched large LU of a load 
when shifting to another interface or another equipment, and from a host, after becomes 
accessible in the same environment and is henceforth effective in henceforth being easily 
realizable. 

[0039] In addition, in this example, although the transfer of the management information from an 
administration terminal 400 to a disk array 200 and a router 300 is performed through the 
network B510, management information may be transmitted using the dedicated line 710 which 
connects a router 300 to the dedicated line 700 and administration terminal 400 which connect a 
disk array 200 to the administration terminal 400 instead of a network B510 as shown in drawing 
6 . Dedicated lines 700 and 710 are realizable by for example, a serial communication line etc. 
[0040] moreover, the IP address corresponding to LU 1-234 in this case although LU 1-234 is 
accessed in this example by only the host on a network B510 — if "0001" is made into an 
effective local address only on a network B510, the data transfer of going away to an outer 
network through a router about LU 1-234 will be lost, and will serve as insurance in security. 
[0041] Moreover, although the host explained in this example in the example which becomes an 
initiator and accesses a disk array, the data transfer from which the disk array became an 
initiator is also considered for the long distance backup through the Internet etc. In such a case, 
a security check can be carried [ in / as well as this example / the data transfer from a disk 
array 200 to the equipment on an external network ] out by filtering by the group of a transfer IP 
address on a router 300 by matching the IP address for initiators with LU for backup. 
[0042] Moreover, although explained with this operation gestalt that the host had a single 
network interface, a host has two or more network interfaces, and even when using another IP 
address for each, it can realize similarly. Furthermore, when a host assigns two or more IP 



http://www4.ipdljpo.gojp/cgi-bin/tran_web_cgi_ejje 



2004/03/25 



6/6 s<— V 



addresses to one network interface and changes a usage for every IP address, as two or more 
hosts exist, it can realize. 

[0043] Moreover, although it was explained with this operation gestalt that the disk array had a 
single network interface, even when a disk array has two or more network interfaces and uses 
another two or more IP addresses for each, it can realize similarly. 

[0044] Moreover, although the IP address-LUN matching means 214 and IP filtering means 216 
were formed in the disk array 200 with this operation gestalt, these may not be prepared but an 
applicable function may be realized by MPU224 and memory 222. 
[0045] 

[Effect of the Invention] A means by which two or more IP addresses can be held to the network 
interface of a disk array according to this invention as stated above, The means which matches 
LU and the IP address inside a disk array, and the means which looks at the group of the source 
IP address of an IP packet and a destination IP address, and can filter a transfer are established. 
It is supposed to a transfer of a host and LU that the IP address matched with LU is specified as 
a destination IP address, and is transmitted. When an administration terminal sets up the transfer 
[ an IP address, mapping of LUN, and ] of the group of which source IP address and destination 
IP address are permitted An unjust transfer can be canceled now by investigating the group of a 
source IP address and a destination IP address with a disk array and a router. The effectiveness 
that security equivalent to the LUN security conventional in the router top of the exterior of a 
disk array and a disk array is realizable is acquired. 



[Translation done.] 
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* NOTICES * 

Japan Patent Office is not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect the original 
precisely. 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

[Drawing 1] It is the network configuration Fig. of this invention. 

[Drawing 2] It is the internal-block Fig. of the disk array in this invention. 

[Drawing 3] It is the internal-block Fig. of the administration terminal in this invention. 

[Drawing 4] It is drawing showing the mapping table of an IP address and LUN. 

[Drawing 5] It is drawing in which a host shows the table of accessible LU. 

[Drawing 6] It is the network configuration Fig. of another configuration. 

[Description of Notations] 

100 [ — Host D, 200 / — A disk array, 300 / — A router, 400 / — An administration terminal, 
210 / — A network interface, 212 / — Two or more IP address maintenance means, 214 / — 
An IP address-LUN matching means, 216 / — IP filtering means. ] — Host A, 110 — Host B, 
120 — Host C, 130 



[Translation done.] 
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